Multinational Marketers Fail to Meet Safe Harbor Privacy Standards

At least 75 U.S. companies that do business overseas are missing the mark on data privacy under the "safe harbor" principles, according to a study released last week by business consultancy Andersen.

These lapses could have serious implications if the Federal Trade Commission, the policing agent in the United States for safe harbor, begins evaluating international marketers' data practices.

In the study, Andersen looked at 75 Fortune 500 and midsize U.S. firms in the financial services, retail, technology, telecommunications/media/entertainment and travel/leisure industries. It checked each company's data practices against the six principles of the European Union-U.S. safe harbor agreement, which took effect in November.

Under the European Union's data privacy directive, personal information may not be transferred to countries without "adequate" privacy protection. Because the United States does not have a privacy law, the European Union saw the need to implement rules that must be followed by U.S. businesses to protect European data from misuse. As a result, six principles were drafted to ensure the safety of personal information.

The principles -- as negotiated by the European Commission and the U.S. Department of Commerce -- are: notice of what information is collected and how it is used; choice to opt out of third-party data sharing; security precautions to safeguard data; data integrity processes for the collection of relevant data only for specified use; access to information and the ability to correct or delete it; and enforcement of privacy protection and consequences for lapses.

According to the study results, none of the firms studied met all six of the principles; two were found to be in compliance with five; and eight were in compliance with only one of the six.

Enforcement was a problematic area for most of the Web sites examined, with just 5 percent offering assurance of compliance and consequences for noncompliance.

Among other findings, adequate notice of what information was collected was given on 25 percent of the 75 sites; 34 percent addressed access to data; 46 percent offered adequate security; 74 percent addressed data integrity; and 80 percent provided choice.